Cloud Security Alliance Details IoT Security Guidelines

Internet of things security is about more than just actual devices, the Cloud Security Alliance explains in a detailed report.

Internet of things security isn't just a concern for individual devices; it's a risk that extends to the cloud.
In a detailed 75-page report the Cloud Security Alliance (CSA) provides a detailed road map for developing secure internet of things products.
While internet of things devices are often small embedded systems, IoT and the cloud are heavily co-mingled, as IoT devices make use of cloud services.
"Whether we are talking about voice-controlled assistants or talking Barbies, these all interact with services in the cloud," Brian Russell, chairman of the IoT Working Group at CSA and chief engineer, Cyber Security Solutions, Leidos, told eWEEK. "CSA has well-defined cloud security guidelines, with the Cloud Controls Matrix (CCM) and other guidance, but we realized that if the IoT products themselves are not secure, then there will continue to be compromises."

Russell noted that the IoT can be thought of as a "system-of-systems," with many components working together to enable a service. In such a scenario, the system is only as secure as the weakest link.

"Unfortunately, IoT product vendors are often challenged in their ability to secure their products given they haven't been exposed to the need for security engineering in the past," Russell said.
Adding to the lack of vendor experience with security is a lack of skilled security engineers available to assist IoT vendors. Russell added that developers need a set of best practices to consider within their product development lifecycle, which is where the new CSA guidance is aiming to help fill the gap.
As part of the report, the CSA has outlined a secure IoT development methodology that will look somewhat familiar to engineers that have worked on cloud and mobile security in recent years.
"IoT security will have some similarities [to] and lessons learned from the adoption of cloud and mobile devices," John Yeoh, senior research analyst at CSA, told eWEEK.
Although there are many similarities with existing areas of security controls, IoT does introduce new areas of concern, for example, the need to understand the role that hardware plays in securing the device or exposing the device to vulnerabilities, Russell said. IoT is also a bit different from some other areas of technology in that it often aims for autonomous interactions between different types of products.
"This means that developers need to be aware of the other types of products or services that their devices may eventually interact with—and think through the potential security ramifications," Russell said. "For example, an automobile manufacturer may not have planned for an insurance company to build a dongle that connects to the OBD-II port and connects via Satcom or cellular."
A core element of the CSA IoT security approach is a safety impact assessment for a given IoT device to fully understand potential risks. Russell explained that the security impact assessment would need to answer several critical questions that would help expose the true risk.
The four key questions of such a safety impact assessment for IoT include the following:

Given the intended use of the product, is there anything harmful that could occur if the product stopped working as intended or stopped working completely?

Are there any safety-critical services or other products that rely on the functioning of this product?

If a device is compromised, are there any physical effects that could occur downstream from bad data coming from the device?

For safety-critical devices, what would happen if an attacker disabled the built-in safety features?

While IoT vendors have work to do in securing devices, users also have a role to play. Yeoh commented that password security is definitely mentioned in the CSA IoT paper. The use of default passwords is something in which the manufacturer can assist, but the reuse of passwords is something the user has control over, he explained.
"In addition to password protection, over-privileged access of the devices and the applications interacting with devices is something users can control," Yeoh said. "These devices and interfaces shouldn't have privileges and capabilities beyond their intended or defined roles."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.